Security sensitive companies (now a days almost every single one that is connected to the internet) spends a lot of manpower and most importantly, financial resources, trying to keep their infrastructure and users safe from the most recent threats the internet has to offer. This means spending thousands of dollars on the most recent technology, training people and monitoring the environment. The irony of it all is knowing that all this effort and investment could come down at once just by a single click, of course that the more security layers you have, the less chance of someone clicking or running something suspicious on his/her computer.
Cyber hygiene comes in place when we try to look for an answer for this matter, it can be defined as the responsibility of the individual in maintaining a safe behavior towards his actions on the work place and even at home. A safe behavior, for example, includes checking if an e-mail is legitimate or expected before opening it or downloading any attachments and not providing your personal information, like passwords, to anyone. Unfortunately, this kind of behavior isn’t present in most of the companies around the world and that’s the problem.
Most users have the concept that the company is the only one responsible for keeping their information, work tools (such as pcs) and everything that is work related safe and sound from threats. By doing so, people usually doesn’t think or even critically analyses what they are doing before it’s done, for example opening a file that comes from e-mail or clicking a link. Others may say that the fast-paced day to day tasks leaves them with no time to stop and analyze everything.
Independently of the reason, the truth is that everyone should act towards their day-to-day work tasks the same way they act on the street or with strangers. You usually don’t accept anything offered from someone you never saw or look suspicious on the street and doesn’t follow people around when they call you for an irresistible offer on the store around the corner, do you?
So, how should we get in touch with these people and pass some knowledge about Cyber Hygiene? It’s crystal clear that people who doesn’t care about this kind of subject won’t invest much time or attention on this matter and making them go thru a long training or reading extensive documentations won’t bring much result. That’s where security awareness takes place.
Successful security awareness programs should deliver the following:
- Relevant information regarding the people you are trying to inform;
- Quick and easy to understand directives (tips);
- Illustrative images regarding the messages you send;
- Gamification of security awareness is also a plus if possible;
- Up to date subjects, latest information leakages, attacks or trends;
- Physical actions, work desk and behaviors that takes place on the physical world should also be included;
- Recurrence and knowledge evaluation.
Unfortunately, there’s no silver bullet for security awareness programs but there are directives you should follow and adapt to your reality. The goal is same for any program, which is to basically make people think and question before doing any action.
I would recommend starting small with informative e-mails or maybe phishing campaigns and measuaring the results of those actions to check whether they are being effective or not. It’s also very important to be aligned with your Human Resources department, as they have the expertise to talk with the employees and maybe require them to take the awareness courses or tests.
There’s an awesome free resource for this kind of awareness but it is a Brazilian entity with all its content in Portuguese, if you can understand Brazilian Portuguese I strongly recommend checking this site out. As soon as I find anything like that in English, I’ll sure share with you all.
As usual, feel free to comment below and to reach contact with me.